Okta Statement on Breach by Hackers

David Bradbury, chief security officer for Okta, in a brief post on the company’s blog:

In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part of our regular procedures, we alerted the provider to the situation, while simultaneously terminating the user’s active Okta sessions and suspending the individual’s account. Following those actions, we shared pertinent information (including suspicious IP addresses) to supplement their investigation, which was supported by a third-party forensics firm.

Following the completion of the service provider’s investigation, we received a report from the forensics firm this week. The report highlighted that there was a five-day window of time between January 16-21, 2022, where an attacker had access to a support engineer’s laptop. This is consistent with the screenshots that we became aware of yesterday.

The screenshots they “became aware of yesterday” were shared on social media and, because Okta provides secure authentication to many companies, the breach has been widely-publicized. What Bradbury claims matches the evidence to date — that the attackers gained the privileges of a support engineer and no more. That’s something, but it doesn’t seem to be catastrophic. It would be a lot more reassuring, though, if the January incident had been disclosed before these screenshots were leaked to the public.

(This same hacking group, “Lapsus$”, claims to have stolen the source code for Cortana, Bing, and other projects from Microsoft.)

Update: New post from Bradbury:

After a thorough analysis of these claims, we have concluded that a small percentage of customers — approximately 2.5% — have potentially been impacted and whose data may have been viewed or acted upon. We have identified those customers and are contacting them directly. If you are an Okta customer and were impacted, we have already reached out directly by email. We are sharing this interim update, consistent with our values of customer success, integrity, and transparency.

Yowza. Seems pretty likely to me this is how “Lapsus$” stole source code from Microsoft.

Tuesday, 22 March 2022